[Snort-users] welchia rule

Leonard Miller Leonard.Miller at ...7710...
Tue Nov 4 12:40:02 EST 2003


Would it matter if the payload was aaaaaaaaaaaaaaaaaaaa
and not aaaa aaaa aaaa aaaa 
The reason I ask is that I saw on arachNIDS that the rule was a little
different and picked up as CyberKit 2.2 Windows

Thanks
Leonard
Automatically inserted lawyer supplied blurb follows


>>> "Leonard Miller" <Leonard.Miller at ...7710...> 11/04/03 12:10PM >>>
Hi,
I just started using snort.  In order to use this rule, do I just add
that
to the virus.rules file and enable the rule in snort.conf?
If I should start with something a little more simple, let me know.

Thanks
Leonard
Automatically inserted lawyer supplied blurb follows.


>>> "Schmehl, Paul L" <pauls at ...6838...> 11/04/03 10:44AM >>>
> -----Original Message-----
> From: David Omar Ortega Aranda [mailto:dortega at ...10460...] 
> Sent: Monday, November 03, 2003 5:51 PM
> To: snort-users at lists.sourceforge.net 
> Subject: [Snort-users] welchia rule
> 
> Do any of you have a good working Welchia virus signature?

# This rule is for tracking Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI
Infection!!";
content: "|aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8;
icode: 0; \
 classtype:trojan-activity; sid: 10000008; rev: 1;)

Paul Schmehl (pauls at ...6838...)



**********CONFIDENTIALITY NOTICE**********
The information contained in this e-mail may be proprietary and/or 
privileged and is intended for the sole use of the individual or 
organization named above.  If you are not the intended recipient or an 
authorized representative of the intended recipient, any review, copying
or distribution of this e-mail and its attachments, if any, is prohibited.
If you have received this e-mail in error, please notify the sender
immediately by return e-mail and delete this message from your system.





More information about the Snort-users mailing list